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FOREWORD 



Military cyberspace operations have been ongoing 
since before the advent of the Internet, and their in- 
fluence on traditional military operations continues to 
increase. What are the significant changes in mission 
and structure of Department of Defense offensive and 
defensive cyberspace activities over the past decade? 
How do joint and Army cyberspace military opera- 
tions fit into the complex and dynamic sphere of daily 
network defense as well as international deterrence 
and escalation? 

To facilitate the operationalization of this new do- 
main, education of the tenets of cyberspace must oc- 
cur at the tactical, operational, and strategic levels of 
leadership. The persistent increase of cyberspace ac- 
tivities in global events continues to make internation- 
al dynamics more complex. The scope of context for 
such matters needs to consider not just other military 
efforts or even other instruments of national power, 
but how they are presented in an escalation frame- 
work and where they may be going. 

This monograph posits that expanding deterrence 
forces to include conventional strike and cyber offense 
can add capability and credibility, as well as flexibility, 
to course-of-action development available for national 
command authorities. It also argues that cyberspace 
operations, such as automated cyber defense, can sup- 
port and enhance deterrence operations and limited 
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conflict as well as help control escalation and 
reduce risk. 
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Director 
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VI 



ABOUT THE AUTHOR 



JEFFREY L. CATON is President of Kepler Strategies 
LLC, Carlisle, PA, a veteran-owned small business 
specializing in national security, cyberspace theory, 
and aerospace technology. Fie is also an Intermittent 
Professor of Program Management with the Defense 
Acquisition University. From 2007-12, Mr. Caton 
served on the U.S. Army War College faculty, includ- 
ing Associate Professor of Cyberspace Operations 
and Defense Transformation Chair. Over the past 5 
years, he has presented lectures on cyberspace and 
space issues related to international security in the 
United States, Sweden, the United Kingdom, Esto- 
nia, and Kazakhstan, supporting programs such as 
the Partnership for Peace Consortium and the North 
Atlantic Treaty Organization Cooperative Cyber De- 
fence Center of Excellence. His current work includes 
research on cyberspace and space issues as part of the 
External Research Associates Program of the Strategic 
Studies Institute as well as serving as a facilitator for 
Combined/ Joint Land Force Component Commander 
courses at the Center for Strategic Leadership and De- 
velopment. He served 28 years in the U.S. Air Force 
working in engineering, space operations, joint opera- 
tions, and foreign military sales, including command 
at the squadron and group level. Mr. Caton holds a 
bachelor's degree in chemical engineering from the 
University of Virginia, a master's degree in aeronauti- 
cal engineering from the Air Force Institute of Tech- 
nology, and a master's degree in strategic studies from 
the Air War College. 



vii 



SUMMARY 



Military cyberspace operations have been ongoing 
since before the advent of the Internet. Such operations 
have evolved significantly over the past 2 decades and 
are now emerging into the realm of military opera- 
tions in the traditional domains of land, sea, and air. 
The goal of this monograph is to provide senior poli- 
cymakers, decisionmakers, military leaders, and their 
respective staffs with a better understanding of Army 
cyberspace operations within the context of overall 
U.S. military cyberspace operations. It first looks at the 
evolution of Department of Defense (DoD) cyberspace 
operations over the past decade. Next, it examines the 
evolution of the Army implementation of cyberspace 
operations. Finally, it explores the role of cyberspace 
operations in the escalation of international conflict. 

The scope of discussion is at the survey level of 
detail to provide an overall appreciation for the com- 
plex and dynamic nature of evolving cyberspace op- 
erations. It is limited to unclassified and open source 
information; any classified discussion must occur at 
an appropriate venue. Although the details contained 
herein are largely focused on military applications, 
the reader must realize that whole-of-government ef- 
forts are essential for the successful implementation of 
national security efforts in cyberspace. 

This monograph has three main sections: 

• Evolution of Military Cyberspace Operations. 
This section examines the founding of U.S. Cy- 
ber Command from its roots in various mili- 
tary units focused on defensive and offensive 
cyberspace operations. It reviews the initial op- 
eration of the command under the leadership 
of General Keith Alexander as well as its cur- 
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rent operations led by Admiral Michael Rog- 
ers. Also, it assesses the command's mission 
to direct operations, defend networks, and, on 
order, conduct full spectrum operations, with 
respect to its appropriateness and adeptness 
for the command and control of military cyber- 
space forces. 

Evolution of Army Cyberspace Operations. 
Having examined the evolution of joint cyber- 
space operations, this section focuses on par- 
allel evolutionary efforts in Army cyberspace 
operations toward the establishment of Army 
Cyber Command. It examines initial operations 
of the command under the leadership of Lieu- 
tenant General Rhett Hernandez as well as its 
current operations led by Lieutenant General 
Edward Cardon. This includes a brief review of 
recent efforts to establish Lort Gordon, Georgia 
as the center of gravity for Army cyberspace 
activities. 

Cyberspace Operations in a Global Context. 
This section examines the sufficiency of the 
current cyberspace force structure to address 
an international environment of multiple actors 
interacting with varying degrees of tension. In 
such a global situation, cyberspace operations 
seeking to produce certain effects must also be 
examined for their potential to cause escalation 
of activities; possibly even up to the point of 
existential threat. The section presents a modi- 
fied Kahn escalation ladder as a useful meta- 
phor to explore how cyberspace activities may 
integrate with traditional military operations 
across the spectrum of international conflict as 
well as how such defenses influence national 
responses related to deterrence and escalation. 



This monograph examines the past and present 
joint and Army cyberspace military operations, as 
well as how these operations may fit into the complex 
and dynamic sphere of international deterrence and 
escalation. To facilitate the best evolutionary path for 
future activities, it provides recommendations in the 
areas of current priorities, authorities, strategic en- 
gagement, multi-role modeling, and other paradigms 
and factors to consider in future examinations of 
the topic. 
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AUTHOR'S NOTE 



When this monograph was initially completed 
in August 2012, the capstone doctrine document for 
U.S. military cyberspace operations— /omt Publication 
(JP) 3-12, Joint Cyberspace Operations - was a classi- 
fied document. On October 21, 2014, the Joint Chiefs 
of Staff released JP 3-12(R), Cyberspace Operations, an 
unclassified version of the earlier doctrine document 
that is posted on the unclassified public access gov- 
ernment website "Joint Electronic Library" (available 
from WWW. dtic.mil/doctrine/). Please note that the cover 
of the unclassified version retains the original classi- 
fied release date of February 5, 2013, but its contents 
do not include an explanatory note as to when, how, 
and why this declassification was made. 

In general terms, the information in this monograph 
is consistent with the details contained in JP 3-12(R), 
and thus this monograph has not been modified to 
assess and incorporate this recent release. However, 
a diagram from JP 3-12 (R) that depicts typical joint 
cyberspace command and control organizational rela- 
tionships is included as Figure A-1 in the Appendix to 
complement the information contained in Figures 1, 2, 
and 3 of this monograph. 
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ARMY SUPPORT OF MILITARY 
CYBERSPACE OPERATIONS: 

JOINT CONTEXTS AND GLOBAL 
ESCALATION IMPLICATIONS 

Military cyberspace operations have been ongo- 
ing since before the advent of the Internet. Such op- 
erations have evolved significantly over the past 2 de- 
cades and are now emerging into the realm of military 
operations in the traditional domains of land, sea, and 
air. The goal of this monograph is to provide senior 
policymakers, decisionmakers, military leaders, and 
their respective staffs with a better understanding 
of Army cyberspace operations within the context of 
overall U.S. military cyberspace operations. To ac- 
complish this, it first looks at the evolution of Depart- 
ment of Defense (DoD) cyberspace operations over 
the past decade. Next, it examines the evolution of 
the Army implementation of cyberspace operations. 
Finally, it explores the role of cyberspace operations 
in the escalation of international conflict. The scope of 
discussion is at the survey level of detail to provide 
an overall appreciation for the complex and dynamic 
nature of evolving cyberspace operations. It is limited 
to unclassified and open source information; any clas- 
sified discussion must occur at an appropriate venue. 
Although the details contained herein are largely fo- 
cused on military applications, the reader must realize 
that whole-of-government efforts are essential for the 
successful implementation of national security efforts 
in cyberspace. 



1 



EVOLUTION OF MILITARY CYBERSPACE 
OPERATIONS 



This section examines the founding of the U.S. Cy- 
ber Command from its roots in various military units 
focused on defensive and offensive cyberspace opera- 
tions. It reviews the initial operation of the command 
under the leadership of General Keith Alexander as 
well as its current operations led by Admiral Michael 
Rogers. Also, it assesses the command's mission to 
direct operations, defend networks, and, on order, 
conduct full spectrum operations with respect to its 
appropriateness and adeptness for the command and 
control of military cyberspace forces. 

The Founding of U.S. Cyber Command. 

The formal establishment of military units dedi- 
cated to cyberspace missions is mostly a phenomenon 
of the 21st century. This section will look at how the 
defensive and offensive aspects of cyberspace op- 
erations evolved until they were merged under U.S. 
Cyber Command. 

Defensive Cyberspace: Joint Task Force-Global 
Network Operations. 

In the last years of the 20th century, DoD began 
to form the forerunners of a dedicated cyberspace 
force. In December 1998, Secretary of Defense William 
Cohen approved formation of the Joint Task Force- 
Computer Network Defense (JTF-CND) to "serve as 
the focal point with the Department of Defense to or- 
ganize a united effort to defend its computer networks 
and systems" based on needs demonstrated by "de- 
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fense exercises and real world events in 1997 and in 
early 1998."^ These events included the DoD Eligible 
Receiver 1997 exercise as well as the hacking incidents 
known as Solar Sunrise and Moonlight Maze7 JTF- 
CND was collocated with the Global Operations and 
Security Center of the Defense Information Systems 
Agency (DISA) in Washington, DC, and was given the 
initial mission to be responsible for operations on DoD 
computer systems and networks as well as coordinat- 
ing these efforts with the interagency and commercial 
communities.^ 

The initial cadre was small at 10 personnel assigned 
and only 24 assigned when full operational capability 
was achieved in June 1999. At first, the JTF-CND was 
not assigned to a unified command, so its commander 
reported through the Chairman of the Joint Chiefs of 
Staff to the Secretary of Defense.^ The first commander. 
Major General John Campbell, recognized there was 
no connection with services and regional warfighting 
commanders, and the interim command arrangement 
evolved quickly.^ Within a year, JTF-CND was placed 
under the U.S. Space Command with responsibilities 
that included DoD-wide defense actions to stop com- 
puter network attack (CNA) and computer network 
exploitation (CNF) efforts and to mitigate the effects 
of any successful attacks.^ 

In April 2001, the offensive cyberspace role of com- 
puter network attack was assigned to U.S. Space Com- 
mand, and the JTF-CND was renamed to Joint Task 
Force-Computer Network Operations (JTF-CNO).^ 
The new commander. Major General James Bryan, 
was also dual-hatted as Vice Director, DISA. Fie de- 
scribed the new organization and reporting structure 
to Congress in May 2001: 
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Sir, Joint Task Force-CNO is, in fact, that one-stop op- 
erational command for the Department of Defense for 
both offense and defense. It is important to remember 
that we may be a one-stop shop for operational coor- 
dination; but without the cooperation of the services 
and the agencies to include law enforcement as part 
of one team, the JTF could not do its job as well as 
we do. But it certainly answers the question as to who 
is in charge, and this operational accountability now 
flows from the President to the Secretary of Defense to 
General Eberhardt, who is CINCSPACE, to me.® 

On January 10, 2003, President George W. Bush 
signed Change-2 to the 2002 Unified Command Plan, 
which included the merging of U.S. Space Command 
and the existing U.S. Strategic Command into the 
"new" U.S. Strategic Command (USSTRATCOM) un- 
der which JTF-CNO was realigned.® By April 2004, the 
first Concept of Operations for network operations 
(NetOps) for the DoD global information grid (GIG) 
was approved. The roles of defensive and offensive 
cyberspace activities were refined during this period 
such that in July 2004, Secretary of Defense Donald 
Rumsfeld changed JTF-CNO to Joint Task Force- 
Global Network Operations (JTF-CNO). The first 
JTF-CNO commander was the director of DISA, Lieu- 
tenant General Harry Raduege, Jr., who later noted: 

For the first time in network operations and cybersecu- 
rity history, command lines were established from the 
secretary of defense to the STRATCOM commander, 
to the JTF-GNO commander, to each of the appointed 
component commanders within the military services 
and representatives within the combatant commands 
and defense agencies. This framework provides an 
important governance model for optimally operating 
and defending Defense Department networks through 
an established command structure.^^ 
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After the inaugural year of operations, USSTRAT- 
COM commander. General James Cartwright, ap- 
proved a revised Concept of Operations (CONORS) to 
capture lessons learned for JTF-GNO on August 15, 
2005. The CONORS noted that the NetOps primary 
mission to operate and defend the DoD's critical infor- 
mation backbone — the GIG — is explicitly an ongoing 
one: "Unlike many missions that are deemed success- 
ful at a defined completion date, the NetOps mission is 
perpetual, requiring continual support to be success- 
ful."^^ To accomplish this, the CONORS envisioned 
six critical capabilities to be employed across the spec- 
trum of DoD operations at the strategic, operational, 
and tactical levels; visibility; monitoring and analysis; 
planning; coordinating and responding; management 
and administration; and control. 

Some of the practical aspects of the revised 
CONORS were its delineation of NetOps within the 
context of joint and Service organizations. It also dis- 
tinguished between NetOp events (activities that may 
impact operational readiness of the GIG) at the theater 
level and global level. NetOps Events with effects lim- 
ited to a specific theater's operations — Theater NetOp 
Events — would be under the control of the appropri- 
ate geographic commander in the supported role, 
receiving necessary support from USSTRATCOM 
and JTF-GNO. For NetOps Events with the potential 
to impact the GIG across multiple theaters — Global 
NetOps Events — the commander, USSTRATCOM, 
would be the supported commander and would issue 
orders through to JTE-GNO to combatant commands, 
services, and agencies via established support and 
command centers. 
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The command and control structure for address- 
ing NetOps Events utilized NetOps Control Centers 
at the theater level (TNCC), global level (GNCC), and 
joint level (JNCC). The CONOPS called for TNCCs at 
U.S. Central Command, U.S. European Command, 
U.S. Northern Command, U.S. Pacific Command, and 
U.S. Southern Command: 

to lead, prioritize, and direct Theater GIG assets and 
resources to ensure they are optimized to support the 
GCC's [geographic combatant command's] assigned 
missions and operations, and to advise the COCOM 
[combatant command] of the ability of the GIG to sup- 
port current and future operations.^® 

As part of their Global NetOps Event responsibilities, 
a GNCC would provide support to functional com- 
batant commands (FCCs), such as U.S. Transportation 
Command "to advise the FCC and ensure the portion 
of the GIG resources supporting that Commander's 
assigned missions and operations are optimized. 

The CONOPS also had service and interagency 
provisions as well as JNCCs to support a joint task 
force (JTF) commander by managing "the tactical com- 
munications of the joint force, serving as the NOSC 
[Network Operations and Security Center] for the 
deployed portion of the GIG supporting a JTF."^^ To 
orchestrate all of these functions, the JTF-GNO com- 
mander was assigned several critical responsibilities 
to ensure proper operation and defense of the GIG, 
which in turn supported the missions of combatant 
commands, services, and agencies as well as those of 
the President and Secretary of Defense.^® 

Finally, the CONOPS set the expectation and mea- 
sure of merit for its support to the warfighter simply 
as "the effectiveness of NetOps will be measured in 
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terms of availability and reliability of net-centric ser- 
vices, across all domains, in adherence to agreed-upon 
service levels and policies."^^ The tenets of the 2005 
CONOPS continued to mature through daily opera- 
tions for several years pursuing a challenge that was 
conveyed in the December 2008 DoD NetOps Strate- 
gic Vision, which strived for the GIG to operate "as a 
single, unified, agile, and adaptive enterprise capable 
of providing responsive and resilient support to mul- 
tiple simultaneous mission areas under uncertain and 
changing conditions."^® To address this challenge, the 
DoD Chief Information Officer set three goals: share 
GIG situational awareness; unify GIG command and 
control; and institutionalize NetOps.^^ Also, the broad 
responsibilities regarding NetOps for combatant com- 
mands expressed in the USSTRATCOM CONOPS 
were formally institutionalized as an integral part of 
the GIG by DoD that month as well.^^ 

Offensive Cyberspace: Joint Functional Component 
Command-Network Warfare. 

In 2003, around the same time that JTF-CNO was 
adjusting its organization to the reporting chain in 
USSTRATCOM, the DoD offensive cyberspace mis- 
sion of network attack was transferred to a Network 
Attack Support Staff also under the operational con- 
trol of USSTRATCOM but collocated with the Nation- 
al Security Agency (NSA).^® By January 2005, this staff 
evolved to become the Joint Functional Component 
Command — Network Warfare (JFCC-NW).^^ The Di- 
rector of the NSA was designated as the commander 
of JFCC-NW and thus the offensive cyberspace mis- 
sion was separated from the defensive cyberspace 
mission carried out by the Director of DISA in the role 
of commander, JTF-GNO.^^ The 2005 USSTRATCOM 
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NetOps CONOPS defined the primary responsibilities 
of JFCC-NW as "planning, integrating and coordinat- 
ing computer network warfare capabilities and inte- 
grating with all necessary computer network defense 
and exploitation capabilities."^® 

Further details of the capabilities and implemen- 
tation of offensive cyberspace operations remain 
classified. For public dissemination. Lieutenant Gen- 
eral Keith Alexander (Director, NSA and command- 
er, JFCC-NW) summed up the state of cyberspace 
operations in a 2007 article as; 

We [USSTRATCOM] have redefined our cyberspace 
mission area in terms of offensive— network warfare 
(NW) and defensive— network operations (NetOps) — 
and established JFCC-NW and JTF-GNO to address 
each of those mission sets, respectively. 

USSTRATCOM has also begun to develop tactics, 
techniques, and procedures and other concepts de- 
signed to integrate cyberspace capabilities into cross- 
mission strike plans. We are developing concepts to 
address warfighting in cyberspace in order to assure 
freedom of action in cyberspace for the United States 
and our allies while denying adversaries and provid- 
ing cyberspace-enabled effects to support operations 
in other domains. These concepts, and the cyberspace 
effects that they focus on, are clearly based on the mili- 
tary concepts of strike, fires (supporting and suppress- 
ing), and defense. 

This arrangement of two three-star general com- 
manders reporting separately to USSTRATCOM was 
streamlined in late-2008 when operational command 
of JTF-GNO was placed under JFCC-NW.^® This 
change was intended to "close the seams between in- 
formation assurance, network operations and defense, 
intelligence collection and offensive operations. 
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The Trigger Event - Operation BUCKSHOT YANKEE. 



In the fall of 2010, the world learned of a previ- 
ously classified cyberspace operation through an 
article in Foreign Affairs by Deputy Secretary of De- 
fense William J. Lynn III. Calling the 2008 incident 
"the most significant breach of U.S. military comput- 
ers ever," Lynn went on to note that "the Pentagon's 
operation to counter the attack, known as Operation 
BUCKSHOT YANKEE, marked a turning point in 
U.S. cyber-defense strategy."^" Part of this strategy in- 
cluded the formation of a new sub-unified command 
under USSTRATCOM — U.S. Cyber Command (US- 
CYBERCOM)."^ The creation of USCYBERCOM was 
directed in a June 23, 2009, memorandum by Secretary 
of Defense Robert Gates. The new command would 
incorporate the existing elements of DoD cyberspace 
such as service component and agency connections. 
In doing this. Gates also directed the disestablishment 
of JTF-GNO and JFCC-NW as their functions were 
subsumed into USCYBERCOM. 

The first commander of USCYBERCOM, General 
Keith Alexander, in testimony to Congress in Septem- 
ber 2010, recapped the events from Operation BUCK- 
SHOT YANKEE up through initial operational capa- 
bility of the new command as well as how its structure 
would greatly enhance future cyberspace operations. 

At that time [2008], we had the defense and the op- 
erations in one command, under the Joint Task Force- 
Glohal Network Operations. And that task force got 
one level of intelligence and could see one part of the 
network. 

Operating on the other side was the Joint Functional 
Component Command-Net Warfare, trained at a dif- 
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ferent level with different intel insights at a different 
classification level, same network, two organizations. 
And if you are operating at the National Training Cen- 
ter, you wouldn't have the defensive team out there 
defending and then take them off the field and run out 
with an offensive team. It is the same team. 

And so the good thing that we have done here is we 
have brought those two together, merged those, and I 
think that is key to the success here. We need that to 
operate as one team. The offense and defense cannot 
be different here, because these operations will occur 
in real time. And I think we have to be prepared to 
do that.^^ 



Initial USCYBERCOM Operations. 

Secretary of Defense Gates set very aggressive 
dates for USCYBERCOM establishment: initial oper- 
ating capability by October 2009 and full operational 
capability by October 2010.^^ Although the first opera- 
tional milestone was not achieved until May 21, 2010, 
USCYBERCOM was declared fully operational, which 
included the formal disestablishment of JTF-GNO and 
JFCC-NW.35 The USCYBERCOM mission was three- 
fold: enable DoD network operations; conduct mili- 
tary cyberspace operations; and ensure freedom of 
action in cyberspace.^® 

Figure 1 depicts the interim structures of the de- 
veloping USCYBERCOM within the larger context of 
DoD cyberspace. Working in parallel to the joint ef- 
forts, each military service was also tasked to develop 
and establish cyberspace commands to support US- 
CYBERCOM. By October 2010, the following compo- 
nent support commands were in place: Army Cyber 
Command; Fleet Cyber Command, 10th Fleet; Marine 
Forces Cyber; and 24th Air Force. 
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Figure 1. USCYBERCOM Formation and 
DoD Cyber Organization (March 2010).^^ 

Consistent with the vision put forth in the Foreign 
Affairs article by Deputy Secretary Lynn, General Al- 
exander confirmed the initial direction of the first US- 
CYBERCOM was set in three main lines of operation: 
defense of the Global Information Grid; execution of 
full-spectrum cyber operations on command; and de- 
fense of U.S. freedom of action in cyberspace. He also 
reiterated five principles for the initial strategy of DoD 
cyberspace; 

• Remember that cyberspace is a defensible do- 
main. 

• Make our defense active. 

• Extend protection to our critical infrastructure. 

• Foster collective defenses. 

• Leverage U.S. technological advantages.^® 
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What was the vision for the practical application of 
these principles in military terms? General Alexander 
emphasized that the need for the command to focus 
on operating jointly in support of the combatant com- 
manders.^'^ This cyberspace support to the deployed 
warfighter was facilitated using Cyber Support Ele- 
ments (CSEs) for combatant commanders and Expedi- 
tionary CSEs (ExCSEs) for joint task force command- 
ers. These teams are scalable in size and composition 
to best meet mission requirements as well as establish 
working relationships with the directorates of intelli- 
gence (J2), operations (J3), and planning (J5). Regard- 
ing ExCSE activities that support ongoing operations, 
General Alexander testified to Congress in 2010 that: 

Currently, USCYBERCOM has two ExCSEs teams de- 
ployed — one in Iraq and one in Afghanistan. The teams 
consist of five personnel: a team chief (lead planner), 
a cyher attack planner, a cyher defense planner, and 
two analysts (cyher and intelligence). USCYBERCOM 
embeds these teams within the supported Joint Task 
Eorce headquarters (typically J3 Directorate — Opera- 
tions) to enable the delivery of cyber effects in support 
of the commander's priorities.^° 

The USCYBERCOM commander would also lead 
the National Security Agency (NSA) and Central Se- 
curity Service, thus adding in the traditional commu- 
nities of national security cryptology, signals intelli- 
gence, and information assurance into the cyberspace 
operations mix. Although this puts a great amount of 
responsibility under the purview of a single leader. 
General Alexander argued that it made sense for re- 
source stewardship and unity of effort.^^ From a force 
structure view, this included the incorporation of 
existing task-specific support teams, such as; 



12 



Green Teams to respond to cyber incidents; Blue 
Teams that provide in-depth review and resolution of 
cyber events; and Red Teams that emulate adversary 
procedures against DoD hosts to train defenders and 
identify vulnerabilities for mitigationd^ 

Current Joint Cyberspace Operations. 

In January 2012, President Barack Obama and 
Secretary of Defense Leon Panetta gave DoD new 
strategic guidance for sustaining U.S. global leader- 
ship in the 21st century. This guidance centered on 
10 primary mission areas where “the Joint Force will 
need to recalibrate its capabilities and make selective ad- 
ditional investments to succeed," which includes efforts 
to ensure protection and resiliency for cyberspace op- 
erations.'^^ Under General Alexander's leadership, US- 
CYBERCOM pursued five broad command priorities 
to address the mandate; (1) Trained and Ready Cyber 
Forces; (2) Operational Concept; (3) Global Situational 
Awareness; (4) Defensible Architecture; and (5) Poli- 
cies and Procedures to Enable Action.^^ 

Admiral Michael S. Rogers assumed command of 
USCYBERCOM on April 3, 2014, and since then, he 
has kept the command focused on the same five pri- 
orities.^^ In a June 2014 speech, he highlighted how the 
Joint Information Environment (JIE) will provide a 
truly defensible network for warfighters once it is fully 
mature and noted that the JIE structure is currently be- 
ing implemented in Europe.^^ He also provided details 
on the planned structures for trained and ready cyber 
forces. Consistent with the cyber force envisioned in 
the 2014 Quadrennial Defense Review, Admiral Rogers 
called for a team structure of approximately 6,000 cy- 
ber professionals divided into 133 teams across three 
mission areas; Cyber National Mission Force respon- 
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sible for depending national critical infrastructure; 
Cyber Combat Mission Force responsible for cyber 
support to combatant commanders; and Cyber Pro- 
tection Forces responsible for operating and defend- 
ing the DoD information network (DoDIN)d^ Table 1 
depicts how these teams might be aggregated to form 
notional companies, battalions, and squadrons. 



Current Cyberspace Mission Forces 


2014 


13 National Mission Teams with 8 National Support Teams 


Quadrennial Defense 
Review 


27 Combat Mission Teams with 1 7 Combat Support Teams 


18 National Cyber Protection Teams (CPTs) 


133 Total Teams 
6,000 Pax 


24 Service CPTs 


26 Combatant Command and DoD information Network CPTs 


National Basic Types of Cyberspace Units (USCYBERCOM, October 2013) 




1 X C2 Element 




• Provide C2 and management 


Cyber National 
Mission 


5 X Cyber National Mission Teams (CNMT) (64 Pax each) 
• Base unit for cyber operations 


Battalion/Squadron 


• Conduct OCO/DCO/DGO 

• Sustained and surge operations 

• Trained, certified, and fights as a team 


Mission: See, Block, 
Maneuver in Red and Grey 
space to deny adversary 
objectives and, if autho- 
rized, strike to destroy the 
capability. 


5 X Direct Support Teams (DST) (39 Pax each) 

• Provides direct support to CNMTs 

• Conduct Intel and malware analysis 

• Perform immediate tool development / modification and 
access maintenance 




• Conduct target discovery / analysis 




• Provide language analysis 




• Planning and synchronization 




• NSA initial weight to DTN DSTs, then shifting to CCMD 
support as capacity grows. 



Table 1. Cyberspace Force Presentation^® 
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1 X C2 Element 




• Provide C2 and cyber management for CCMD (OPCON) 




1-6 X Cyber Combat Mission Teams (CCMT) (64 Pax each) 


Cyber Combat Mission 


• Base unit for offensive cyber operations 


Battalion/Squadron 


• Large Scale ops CCMF has all CCMT specialties, others 
less 




• Trained, certified, and fighfs as a team 




1-2 X Direct Support Teams (DST) (39 Pax each) 


Mission; Target develop- 


ment in suoDort of CCMD 


• One DST per 3-5 CCMT 


ooerations olans and, 
when authorized, the deliv- 


• More target region specific skills 


ery of cyber effects against 


• Perform immediate tool development / modification and 


CCMD targets, followed 


access maintenance 


by assessment of effects. 
OPCOiM to CCMDs under 


• Conduct target discovery and analysis 


current “Transitional” C2 
model. 


• Provide language analysis 




• Planning and synchronization 


Cyber Protection 


2-6 X Cyber Protection Platoons 

• Each Platoon has its own organic C2 element 




• Each Platoon has 5 squads (see below) 


Company /Troop 


• Conduct CND; tips to CNA; Penetration testing 




• Trained, certified, and operates as a team 




5 X Protection Squads / Platoons 


Mission: Defense of the 
GIG and employing teams 
to assist outside the 
GIG when required and 


• Task organized, trained and certified 

• Assesses Cyber Security Posture 


authorized. 


• Bolsters Cyber Defenses 

• Conducts Counter-Cyber Ops 

• Performs Cyber Threat Emulation (CTE) 

• Conducts Intel and malware analysis 



Table 1. Cyberspace Force Presentation, (cont.) 
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As Cyber National Mission Force teams are being 
established, their techniques and procedures are also 
being developed through daily operations and exer- 
cises. Many of these exercises require coordination 
across multiple lines of authority, such as the Cyber 
Guard 14-1 exercise conducted over 2 weeks in July 
2014 "designed to test operational and interagency co- 
ordination as well as tactical-level operations to pro- 
tect, prevent, mitigate and recover from a domestic 
cyberspace incident." 

Cyber Combat Mission Force teams are also refin- 
ing their methods for providing support to combatant 
commanders. As depicted in Figure 2, USCYBERCOM 
CSEs help to coordinate cyber support through joint 
component commanders, joint task force command- 
ers, and the combatant commander's Joint Cyber Cen- 
ter. Specific operational requests may be in the form 
of the Cyber Effects Request Eormat (CERE) process, 
which "initiates cyber effects planning across all lines 
of operation."^^ Warfighters may also use a Joint Cy- 
ber Strike Request that "sets the timing and tempo to 
integrate cyber effects/ fires with the supported Joint 
Eorce Commander's operation."^^ Eor planning and 
execution of these requests, "CDRUSCYBERCOM 
[Commander, USCYBERCOM] deconflicts fires deliv- 
ered in and through cyberspace."^^ 
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Transitional C2 Model 




Joint Forces Air Cyber Commands 



Joint Task Force 



CSE Air Integration 



CCMD 



USCYBERCOM 



Joint Task Force 



Joint Forces Maritime Cyber Centers 



Sea Integration 



Joint Task Force 



Joint Forces Space Operations Center 



Spec Integration 



Joint Forces Land Cyber Commands I 
CSE Land Integration 

~ ' ' 



Cyber Support Elements (CSE) 



Figure 2. USCYBERCOM Support to 
Combatant Commands.^^ 



From a doctrinal viewpoint, all of the cyberspace 
operations for warfighters should fall into three mis- 
sion areas: DoDlN Operations, Defensive Cyberspace 
Operations (DCO), and Offensive Cyberspace Opera- 
tions (OCO). DCO is bifurcated into DCO-Internal De- 
fensive Measures (IDM) and DCO-Response Actions 
(RA).^^ Figure 3 depicts the notional relationship of 
these functions with regard to cyberspace missions 
and support teams. 
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DOD Information Global 
Network Operations 



*Network focused/threat agnostic 



Defensive Cyberspace 
Operations (DCO) 



•Mission focused/threat specific 



DCO-Response 
Actions (DCO-RA) 



DCO-intemal 
Defensive Measures 
(DCO-IDM) 



Offensive Cyberspace 
Operations 



* Project power In and through cyberspace 



Cyber Protection 
Teams 



Provide Freedom 
of Maneuver 
in Cyberspace J 



Cyber forces execute 
cyber actions: 



Cyberspace 

Defense 



Cyberspace 


Cyberspace 


OPE 


ISR 



Cyberspace 

Attack 



CMT, 



r 




c 


JFC 1 

Mission 1 

)bjectives A 



National Mission Teams 



Supported by all-source intelligence, information technology, and routine communications activities 



Figure 3. Cyberspace Operations Functional 
Relationships.^ 

Examining further details of these functions quick- 
ly leads to classified material that is inappropriate for 
this monograph. A capstone joint doctrine publication, 
Joint Publication (JP) 3-12, Joint Cyberspace Operations, 
was released in February 2013 for cyberspace opera- 
tions for those readers with appropriate clearance and 
need to know. The unclassified synopsis states that 
the publication seeks to address "the uniqueness of 
military operations in cyberspace, clarify cyberspace 
operations-related command and operational inter- 
relationships, and incorporate operational lessons 
learned."®^ 



18 
















EVOLUTION OF ARMY CYBERSPACE 
OPERATIONS 



Having examined the evolution of joint cyberspace 
operations, this section focuses on parallel evolution- 
ary efforts in Army cyberspace operations toward the 
establishment of Army Cyber Command. It examines 
initial operations of the command under the leader- 
ship of Lieutenant General Rhett Hernandez as well 
as its current operations led by Lieutenant General 
Edward Cardon. This includes a brief review of recent 
efforts to establish Fort Gordon, Georgia as the center 
of gravity for Army cyberspace activities. 

The Founding of Army Cyberspace Operations. 

Just a few years before the formation of JTF-CND, 
the Army was making organizational changes to begin 
consolidating the operational of information systems. 
Since May 1984, the U.S. Army Information Systems 
Command (ISC) provided the service-wide manage- 
ment of five information disciplines; communications; 
automation; records management; printing and pub- 
lishing; and visual information. Based on the perceived 
need for better control over regional communication 
and computer systems by Army major commands 
and theater commanders, ISC was disbanded, and the 
Army Signal Command created in September 1996. 
During the next 6 years, the command focused on stra- 
tegic signal support to Army combat units worldwide. 
However, these units were equipped and resourced 
at the major command or theater level with little co- 
ordination. Thus, the Army-wide information system 
became increasingly nonstandard in their equipment 
and protocols at a time when threats to the system 
were growing more complex and widespread.®® 
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To address these issues, the U.S. Army Network 
Enterprise Technology Command/ 9th Army Signal 
Command (NETCOM/ 9th ASC) was established in 
August 2002. Its mission was to "operate, manage, 
and defend the Army's 'Infostructure' at the enter- 
prise level" to provide "Command, Control, Commu- 
nications, Computers, and Information Technology 
common user services and signal warfighting forces 
in support of the Army, its Army service Component 
Commanders, and the Combatant Commanders." 
This included operation and defense of the Army's 
portion of the GIG.^^ 

The USSTRATCOM 2005 CONOPS for GIG 
NetOps identified the Commander, U.S. Army Space 
and Missile Defense Command (USASMDC)/Army 
Forces Strategic Command (ARSTRAT) as the Army 
service component to JTF-GNO.^° The Army NetOps 
structure had three tiers; (1) the central command ele- 
ment of the Army Network Operations and Security 
Center (ANOSC), referred to in the CONOPS as the 
Service Global Network Operations and Security Cen- 
ter (SGNOSC); (2) the combatant command support 
elements of the Theater Network Operations and Secu- 
rity Centers, referred to in the CONOPS as the Service 
Theater Network Operations and Security Centers; 
and support elements within theater of the Regional 
Network Operations and Security Centers.^ Figure 4 
depicts how the Army implemented this three-tiered 
structure across the five geographic combatant com- 
mands. The ANOSC® (or SGNOSC) at Fort Belvoir, 
VA, provided "decisionmakers a comprehensive, in- 
tegrated, near real-time, situational awareness, [and] 
operational reporting capability" as well as "world- 
wide operational and technical support to the Land- 
WarNet across the tactical and strategic levels."® 
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opconI 




Supports 




Figure 4. U.S. Army NetOps Forces (Circa 2005).®^ 

In October 2006, the army reinforced the 
NETCOM/ 9th ASC mission and redesignated it 
as the U.S. Army Network Enterprise Technol- 
ogy Command/9th Signal Command (Army) 
(NETCOM/9th SC (A)). Its mission was clarified to 
formally include network-centric operations in con- 
text of the LandWarNet by executing: 

globally based and expeditionary communications 
capabilities to enable joint and combined battle com- 
mand, leveraging the information grid to ensure ex- 
tension and reachback capabilities to the warfighter. 

It was to accomplish this "through globally postured 
theater signal commands, brigades, and regional in- 
formation managers."®^ 

Perhaps a good example of warfighter support fa- 
cilitated by NetOps using the GIG is that of friendly 
force tracking (EET). Originally called blue force 
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tracking, the initial aim of the program was for U.S. 
Space Command to use national technical means "to 
provide a beyond line-of-sight, low probability of 
detection and interception, precise location of Spe- 
cial Operations Forces elements."^ When U.S. Space 
Command merged with U.S. Strategic Command 
in 2002, the FFT mission operational control transi- 
tioned to USASMDC/ARSTRAT. In December 2008, 
the USSTRATCOM FFT mission was refined and 
USASMDC/ARSTRAT was given responsibility "to 
provide FFT data services on a continuous basis to 
combatant commands" and interagency and coalition 
users (when directed) as well as "to provide a com- 
bat development capability integrating FFT data into 
current and planned architectures for use on the ap- 
propriate Common Operating Picture."'’^ The system 
has now become so integrated into joint operations 
that it may be taken for granted. Its continued success 
depends on coordinated NetOps support to generate, 
collect, process, disseminate, and display joint FFT 
information to warfighters worldwide.^® 

The 2009 version of the U.S. Army Posture State- 
ment contained a summary of the Army's evolving 
cyber operations, which included descriptions of 
the NETCOM/ 9th SC defensive cyberspace focus of 
NetOps as well as the Army Intelligence and Secu- 
rity Command (INSCOM) offensive cyberspace focus 
of network warfare. By this time. Army cyberspace 
operations had been; 

integrated throughout Service and Joint Force struc- 
ture, from strategic levels such as the Defense In- 
formation Service Agency, Joint Task Force-GNO, 
NSA, and Joint Functional Component Command- 
Network Warfare down to the Brigade Combat Team 
(BCT) level. 
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This included forward-based forces within theater 
signal commands, military intelligence brigades, and 
planning elements.® 

Initial Army Cyber Command Operations. 

In May 2009, the Army established a cyberspace task 
force to examine how to organize the service's cyber- 
space assets to support the anticipated establishment 
of a sub-unified command in USSTRATCOM dedicat- 
ed to cyberspace operations. Specifically, the task force 
would synchronize the cyberspace-related activities of 
the Army Staff Intelligence/ G-2, Operations/ G-3, and 
Chief Information Officer/G-6. More importantly, it 
would examine if existing organizations (i.e., NET- 
COM, INSCOM, or USASMDC/ARSTRAT) could 
best provide the headquarters functions to direct the 
Army's existing cyberspace operation capabilities, or 
if a new command should be established. When De- 
fense Secretary Gates issued his June 2009 memoran- 
dum to establish USCYBERCOM, the Army opted to 
retain USASMDC/ ARSTRAT as the interim choice for 
U.S. Army Eorces Cyber Command (ARFORCYBER).^° 
At that time, the organization of Army cyberspace 
forces was largely the same as it had been described 
in the 2005 USSTRATCOM CONORS, with a central 
command element and Theater Network Operations 
and Security Centers (TNOSCs) as well as Army Com- 
puter Emergency Response Teams (ACERTs). The 
Army Global Network Operations and Security Cen- 
ter (AGNOSC) remained essential to warfighting as 
"the Army's global eyes and ears in cyberspace . . . ac- 
tively defending the Army's operational and generat- 
ing force information capabilities from a continuously 
evolving, adaptive enemy." Also, TNOSCs contin- 
ued their mission to "direct the operations, manage- 
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merit and defense of the Army's portion of the link to 
the GIG." 

In February 2010, based on "the increasing global 
scope of the cyberspace mission," the Army chief of 
staff approved the establishment of a separate com- 
mand for ARFORCYBER.^^ In June 2010, it was an- 
nounced that Major General Rhett A. Hernandez 
would be the new ARFORCYBER commander with 
the task of achieving Army Cyber Command full op- 
erational capability by October 2010. While the roles of 
NETCOM/ 9th SC (A) and INSCOM remained largely 
unchanged, a new nerve center for Army cyberspace 
operations was created: the Army Cyber Operations 
and Integration Center (ACOIC).^^ With functions 
similar to those of the previous AGNOSC, the ACOIC 
was designed not only to provide Army forces with 
"clear, concise, and timely direction to execute full 
spectrum operations in cyberspace" but also to co- 
ordinate Army cyberspace operations and "to share 
information with other Army commands, our coun- 
terparts in the other services, and the U.S. Cyberspace 
Joint Operations Center." To facilitate this integration, 
some ACOIC personnel were physically embedded 
with the USCYBERCOM joint staff. 

As the organization charts were being redrawn 
for ongoing Army cyberspace operations, the Army 
Training and Doctrine Command (TRADOC) began 
a "Cyberspace/ Electromagnetic Contest" capabilities 
based assessment in February 2010.^^ TRADOC also 
published the "Cyber Operations Concept Capability 
Plan 2016-2028" in February 2010 as the; 

first step in developing a common understanding of 

how technological advancements transform the op- 
erational environment, how leaders must think about 
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cyberspace operations, how they should integrate 
their overall operations, and which capabilities are 
needed/'’ 

The report assessed that "the Army's current vo- 
cabulary, including terms such as computer network 
operations (CNO), electronic warfare (EW), and infor- 
mation operations (lO) will become increasingly inad- 
equate."^^ It posited three interrelated dimensions of 
full spectrum operations built upon these elements: 
one of "psychological contest of wills;" a second of 
"strategic engagement;" and the third dimension of 
"the cyber-electromagnetic contest" — the focus of the 
plan.^^ Arguing that cyberspace operations (Cyber 
Ops) was more than the CNO and NetOps, the plan in- 
troduced "four components for CyberOps; CyberSA, 
CyNetOps, CyberWar, and CyberSpt, with CyberWar 
and CyNetOps being the primary operational compo- 
nents."^® The plan went on to develop an initial matrix 
of required capabilities for each element in the areas of 
doctrine, organizations, training, materiel, leadership 
and education, personnel, and facilities.®® 

As planned. Army Cyber Command was estab- 
lished on October 1, 2010,®^ with a split-cased scheme 
that had its headquarters at Fort Belvoir, and select 
staff elements located with or near USCYBERCOM at 
Fort Meade, MD.®^ Its mission was threefold: to lead 
the planning and implementation of Army NetOps 
and defense of Army networks; when directed, to 
conduct cyberspace operations to ensure freedom of 
action in cyberspace and to deny the same to adver- 
saries; and to report, assess, and mitigate Army cyber- 
space incidents.®® 

Over the next year, several modifications were im- 
plemented to the initial U.S. Army Cyber command 
(ARCYBER) organizations. In February 2011, Sec- 
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retary of the Army John M. McHugh issued a direc- 
tive that the Army lO mission transfer to ARCYBER. 
Along with this new mission, ARCYBER received 
operational control over the 1st Information Opera- 
tions Command (Land), which included lO support 
to warfighters using deployable teams that could le- 
verage reach-back planning and analysis as well as 
synchronize and conduct CNO tasks. In October 
2011, the 780th Military Intelligence Brigade became 
ARCYBER's cyber brigade to serve as the command's 
"operational arm for full-spectrum cyberspace op- 
erations."^^ As such, the brigade was "organized to 
support USCC [USCYBERCOM] and combatant com- 
mand cyberspace operations" as well as to conduct 
"signals intelligence and computer network opera- 
tions, and enables Dynamic Computer Network De- 
fense of Army and DoD networks."®^ ARCYBER also 
established the Army Cyberspace Proponent Office 
"to define the Army's future cyberspace force; design 
its organizations; establish the requirements to build 
it (both technological and human); and to develop the 
overarching cyberspace doctrine and operational con- 
structs."®^ The command relationships resulting from 
these first-year changes are depicted in Figure 5. 

During the first year of operation, ARCYBER did 
much to advance Army cyberspace operations along 
three lines of effort: operationalizing cyberspace; grow- 
ing Army cyber capacity and capabilities; and recruit- 
ing, developing, and retaining Army cyber profession- 
als. At a public conference in August 2011, Lieutenant 
General Hernandez discussed nine major accomplish- 
ments for the year that highlighted progress in the oper- 
ationalization and unity of effort within the command. 
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Figure 5. U.S. Army Cyber Command/Second 
Army (Circa 2011).«« 

Although these were significant steps forward, there 
still remained considerable work to achieve the com- 
mander's vision "to effectively defend our networks 
and deter and oppose our adversaries" as well as "to 
enable cyberspace activities under various authorities 
to work in concert with each other to more effectively 
support cyber operations."®‘^ Fundamental first steps 
in achieving these goals include improving our ability 
to see and understand our networks better. We will 
do this by collapsing our networks from a disparate, 
loose federation into one Army enterprise network. 
This will enable us to establish centralized control of 
our networks and give us more complete, integrated 
visibility into them. Having accomplished this, we 
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can then establish an active defense in depth across 
the network. 

Current Army Cyberspace Operations. 

Looking toward the future, the 2012 Army Posture 
Statement identified three essential cyberspace ele- 
ments to fulfill the needs of the dynamic information 
environment of 2020: a cyberspace enterprise; a "com- 
bined arms" cyberspace force; and integration, plan- 
ning, and synchronization of cyberspace effects.^” To 
fully incorporate these cyberspace elements into full 
spectrum operations, three cyberspace imperatives 
were set forth in the areas of personnel, cross-domain 
operations, and integrated operations. The personnel 
focus is to pursue "the development of Cyberspace 
Warriors and cyberspace formations to gain physical, 
temporal, and psychological advantages over an en- 
emy will enable freedom of movement in, from, and 
through cyberspace."^^ The second imperative seeks 
to make cyberspace operations "routine and perva- 
sive" given that "the Army will embrace cross-domain 
synergy between land and cyberspace. Cyberspace 
operations will be a critical part of 'How the Army 
Fights'. The third imperative is probably the most 
challenging since it deals with several evolving mis- 
sion areas; "Army Cyber will integrate and synchro- 
nize cyberspace operations with electronic warfare, 
electromagnetic spectrum operations, information op- 
erations, and space operations to achieve command- 
er's objectives to ensure mission command. 

ARCYBER continued to evolve with efforts to ad- 
dress capability gaps identified in TRADOC's Cyber/ 
Electromagnetic Capability Based Assessment. These 
included: 
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increase our [ARCYBER] World Class Cyber Opposi- 
tion Force (WCCO) capacity to provide realistic, chal- 
lenging cyberspace training in the conduct of Unified 
Land Operations to exercises. Home Station Training, 
and Combat Training Centers; increase our capability 
to conduct active defense of Army Networks through 
"Hunt Teams" that can find, fix, and mitigate cur- 
rently un-detected malicious actors already inside the 
DoD infrastructure; provide capability to integrate cy- 
berspace operations into Regional Army Land opera- 
tions to support commanders' tactical and operational 
cyber planning and integration; increase intelligence 
personnel to support Army Cyber Command's opera- 
tions Center, and improve our capability for rapid de- 
velopment of network defense tools; increase capacity 
to conduct our ability to conduct force modernization 
for cyberspace operations by developing requirements 
and solutions.®"* 

In addition to these areas, ARCYBER also made 
progress in building relationships with allies and 
partner nations through participation in operational 
planning and Theater Security Cooperation effort 
with combatant commands. 

In September 2013, ARCYBER/ 2nd Army wel- 
comed its second commander. Lieutenant General 
Edward C. Cardon, who continued to build on the 
foundation created by Lieutenant General Hernandez. 
In his initial assessment of the command. Lieutenant 
General Cardon identified the three greatest continu- 
ing challenges as "building cyber capability and ca- 
pacity; transitioning to a more defensible platform; 
and gaining situational awareness in cyberspace."^^ 

In March 2014, the Army affirmed its commitment 
to unity of effort in cyberspace operations and refined 
the command relationships: making ARCYBER an 
Army Eorce Component Headquarters; designating 
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2nd Army as a direct reporting unit; and assigning 
NETCOM/ 9th SC (A) to 2nd Army, with Command- 
er, NETCOM dual-hatted as the Deputy Commanding 
General, 2nd Army.^^ Figure 6 depicts the command 
relationship of this time frame. 
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••AMERICA'S ARMY: THE STRENGTH OF THE NATION" 



Figure 6. U.S. Army Cyber Command/Second 
Army (Circa 2014).®" 

After leading the command for 6 months. Lieuten- 
ant General Cardon offered additional refinements 
into these challenge areas, focusing on limitations of 
existing information architectures and cyber train- 
ing as well as more strategic issues of risk assessment 
and authorities to match operating concepts. At the 
operational level, he discussed cyberspace operations 
in terms of maneuver on "cyber terrain" where one 
could replace traditional maps with "roads as [in- 
formation] transport— fiber, satellite links, wireless. 
Think of the intersections as routers and switches, and 
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think of the buildings as endpoints or people with mo- 
bile devices."^® In such a schema, ARCYBER needs to 
recognize "there's a real nexus between land, cyber, 
and the human domains." At the strategic level, he 
noted that "cyber's a domain and it must be integrated 
with other domains to provide options to the National 
Command Authority."^® 

To help address these myriad tasks, ARCYBER 
is applying the total force concept to current Army 
cyberspace operations. For example, the 1st lO Com- 
mand includes four Reserve Component Theater lO 
Groups with deployable capability that "provides lO 
and cyberspace planning, analysis and technical reach 
back; and offers specialized lO and cyberspace train- 
ing to assist the warfighter in garrison, during exer- 
cises, or in conflict."^™ 

Army National Guard (ARNG) units also play im- 
portant cyberspace roles that may leverage technical 
experience from their civilian jobs. The Guard's 2015 
Posture Statement summarizes some of the advan- 
tages this arrangement offers, to include unique legal 
authorities, knowledge of local critical infrastructure, 
and experience from work with commercial IT com- 
panies.^”^ A specific application of this concept was 
initiated on June 5, 2014 when a memorandum of 
understanding was signed between ARCYBER/ 2nd 
Army and the ARNG to have the 1636th Cyber Protec- 
tion Team serve in active Title 10 status in support of 
ARCYBER/ 2nd Army. The unit may be called upon to 
conduct any of the following missions; 
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defensive cyberspace operations, cyber command 
readiness inspections, vulnerability assessments, cy- 
ber operational forces support to emulate threats, criti- 
cal infrastructure assessments, theater security coop- 
eration and Federal Emergency Management Agency 
support^® 

Probably the biggest change on the horizon for 
ARCYBER is the pending move of its headquarters to 
Fort Gordon, GA. The Army assessed this as the best 
option to address the need for additional space once 
the command outgrew its facilities at Fort Meade. In 
theory, moving to Fort Gordon is the least costly al- 
ternative. Also, the collocation of the Army's opera- 
tional cyber headquarters with the Army's Joint Force 
Headquarters-Cyber and NSA-Georgia will require 
150 fewer personnel. 

Part of the consolidation of Army cyber forces at 
Fort Gordon is the establishment of the Army Cyber 
Center of Excellence (CoE) there with goals of "align- 
ing Army cyber proponency within TRADOC, cre- 
ating institutional unity and a focal point for cyber 
doctrine and capabilities development, training, and 
innovation."^°^ In fact, on March 28, 2014, the U.S. 
Army Signal CoE became the Army Cyber CoE with 
the initial fusion of various elements of cyber, signal, 
and electronic warfare training completed by October 
2014 and full operating capability achieved by Octo- 
ber 2015.^® The new CoE is now responsible for the 
development of Army signal and cyber doctrine and 
is currently working to produce Field Manual (FM) 
3-12, Cyberspace Operations, which will provide "tactics 
and procedures for the coordination and integration 
of cyberspace operations in support of unified land 
operations."^* 
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The most significant current Army doctrine re- 
garding cyberspace is FM 3-38, Cyber Electromagnetic 
Activities (CEMA), first published in February 2014. 
It provides "an overview of principles, tactics, and 
procedures on Army integration of CEMA as part of 
unified land operations." Further, it describes how 
Army "CEMA are implemented via the integration 
and synchronization of cyberspace operations, elec- 
tronic warfare (EW), and spectrum management op- 
erations (SMO)."^°^ Focusing on Chapter 3 of FM 3-38, 
the depiction of the doctrinal concept of cyberspace 
operations as three interdependent functions (see 
Figure 7) is consistent with terminology of USCYBER- 
COM.^°® While a worthy topic, the detailed analysis of 
the CEMA concept depicted in FM 3-38 is beyond the 
scope of this monograph. 




Figure 7. U.S. Army Cyberspace Operations 
Functions.™ 
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Following the model of the Quadrennial Defense 
Review (QDR) and USCYBERCOM, ARCYBER imple- 
ments its mission across four team structures; (1) Joint 
Eorce Eleadquarter-Cyber to provide operational and 
tactical planning support to Combatant Commands; 
(2) Cyber National Mission Force to defend the nation 
by seeing adversary activity, blocking attacks and ma- 
neuvering to defeat them; (3) Cyber Protection Force 
to defend DODIN and, when authorized, other infra- 
structure; and (4) Cyber Combat Mission Force to con- 
duct military cyber operations in support of combat- 
ant commandersd^” Figure 8 depicts how the goal of 
operationalizing cyber is achieved by combining these 
teams with the organization shown in Figure 8 and 
overlaying them across the ARCYBER mission areas. 
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Figure 8. U.S. Army Cyberspace Operations 
Spectrumd^^ 

A recent example of the continuing evolution of 
Army cyber forces to support these team structures is 
the 7th Signal Command (Theater) efforts to establish 
a new Cyber Mission Unit (Provisional) that will focus 
on defensive operations for Army networks. The new 
unit will form Cyber Protection Teams to "conduct 
global cyberspace operations to deter, disrupt, and 
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help defeat the nation's adversaries in cyberspace. 
They will rapidly evaluate, and act proactively and 
react! vely to dynamic cyber situations. 

CYBERSPACE OPERATIONS IN A 
GLOBAL CONTEXTii" 

Thus far, this monograph has addressed how cy- 
berspace forces are currently being integrated across 
the full spectrum of traditional domain-based military 
operations. But is this approach sufficient to address 
the full scope of cyberspace operations now and into 
the future? This section takes a more theoretical slant 
to addressing this question as it examines an interna- 
tional environment of multiple actors interacting with 
varying degrees of tension. In such a global situation, 
cyberspace operations seeking to produce certain ef- 
fects must also be examined for their potential to cause 
escalation of activities; possibly even up to the point 
of existential threat. 

When the stakes become this high, then the topic 
of national deterrence comes into play. Indeed, one of 
the principles to guide development of the Joint Force 
of 2020 is to "include a renewed emphasis on the need 
for a globally networked approach to deterrence and 
warfare."^^^ Admiral Rogers during his congressio- 
nal confirmation hearing for the position of CDRUS- 
CYBERCOM noted that "cyber warfare is a complex 
and evolving discipline, and the subject of deterrence 
is drawing increasing attention at all levels of govern- 
ment and the Interagency, and in our discussions with 
our international partners. 

A thorough examination of the topic of how all cy- 
berspace operations influence, and are influenced by, 
global deterrence consideration may require several 
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volumes of work. Instead, this monograph will in- 
troduce a methodology — the modified Herman Kahn 
Escalation Ladder — and use it to analyze the specific 
case of active cyber defense (A CD) operations. Read- 
ers may then modify and apply the analysis frame- 
work for their own needs. For our purpose, ACD is 
a concept that is currently embodied in the terms cy- 
ber defense in depth or DCO-RA.^^^ The effective use 
of ACD as an instrument of national policy is not an 
isolated process with defined boundaries. Rather, it 
involves intertwined processes that transpire within 
a dynamic international environment. Ideally, such 
defenses will deter potential aggressors and work to 
defeat any who are not deterred. This section explores 
how ACD may integrate with traditional military op- 
erations across the spectrum of international conflict 
as well as how such defenses influence national re- 
sponses related to deterrence and escalation. 

A key aspect in addressing this issue is to explore 
such activities in the realm of existential threat, which 
traditionally is limited to nuclear warfare. Proper de- 
terrence at this level can serve as an essential element 
of an overall risk reduction strategy to keep inevitable 
and unpreventable minor cyber incidents from esca- 
lating.^^^ Thus, let us examine defensive and offensive 
cyber capabilities in the context of an expanded mod- 
el for strategic deterrence that embraces and expands 
traditional nuclear deterrence. This approach reflects a 
more realistic international environment where major 
cyber attacks are not considered to be isolated events, 
but rather as one instrument among many aimed at 
achieving strategic goals.^^® 
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Kahn Model of Escalation and Deterrence. 

Current U.S. military doctrine defines deterrence 
as "the prevention of action by the existence of a 
credible threat of unacceptable counteraction and/or 
belief that the cost of action outweighs the perceived 
benefits," but interestingly, the definition for escala- 
tion has been removed. This change appropriately 
reflects the doctrine's focus on theater-level military 
operations using a six-phase model with a second 
phase of "Deter." The context for strategic deterrence 
focuses on influencing the decisionmaking of poten- 
tial adversaries not to take actions that threaten vital 
interests. This is achieved through credible threat of 
action in three ways; denying them benefits; imposing 
costs; and encouraging constraint.^^° Implicit in this 
paradigm is the credibility to raise the stakes — esca- 
late the conflict — to a point that is not acceptable by 
the adversary. 

A famous model developed during the Cold War 
was Kahn's Escalation Ladder that he described as "a 
methodological device that provides a convenient list 
of the many options facing the strategists in a two-sid- 
ed confrontation."^^^ He illustrated his metaphor as a 
ladder with 44 "rungs" grouped into 7 larger crises 
regions of increasing intensity separated by distinct 
threshold events. His concept is useful to view the 
changes in conflict based on the interplay between the 
political, diplomatic, and military issues surrounding 
the conflict and the level of violence and provocation 
at which it occurs. Although created in a different 
era of conflict, the Kahn ladder can be evolved and 
expanded to strategic warfare that includes other 
weapons in the deterrence force mix, such as global 
conventional strike and offensive cyber operations. 
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The goal is not to replace nuclear forces, but rather, to 
develop a more holistic integration of strategic forces. 

Simplified Escalation Ladder. 

To examine a more integrated deterrence meta- 
phor, let us first simplify the Kahn ladder by limiting 
it to the seven major crisis regions and their thresh- 
olds. In the original model, the Bizarre Crises region 
included five rungs that depict the initiation of actions 
related to limited nuclear warfare in various forms. 
Let us divide these regions at the level of Bizarre Cri- 
ses into a lower half group that encompasses conflict 
at the theatre/ regional level and an upper half group 
that addresses existential conflict (see Figure 9). 




Figure 9. Modified Kahn Escalation Ladderd^^ 
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The lower half of the simplified ladder starts with 
Subcrises Maneuvering, which consists of political, 
economic, and diplomatic gestures, as well as formal 
declarations, to demonstrate resolve. When military 
forces come into play, the activity crosses the threshold 
to Traditional Crises. In this region, activity increases 
progressively from shows of force and mobilization, 
through harassing acts of violence, and up to dramatic 
confrontations. When military forces become the main 
focus of conflict, the activity crosses the threshold to 
Intense Crises, and the view of nuclear stockpiles 
change from hypothetical to realistic threats. In this 
region, diplomatic measures support coercion using 
provocative acts such as ultimatums, embargos, and 
blockades. Conventional conflict increases in its scope 
and intensity toward the formal declaration of war 
and movement closer to the incorporation of nuclear 
weapons. 

The upper half of the simplified escalation ladder 
deals with conflict that has escalated to the point of 
potential existential threat of nuclear attack. It begins 
with Exemplary Central Attacks where nuclear weap- 
ons are used in a restrained manner against specific 
military, infrastructure, or population targets. As ac- 
tivities progress through the ladder rungs, recipro- 
cal reprisals occur. When military forces become the 
main focus of nuclear weapons, the activity crosses 
the threshold into Military Central Wars. In this re- 
gion, military commanders have access to all the 
resources of the nation as well as nuclear weapons, 
but they use tactics that limit collateral damage to an 
opponent's civilians. Its rungs progress from target- 
ing specific property and forces in equal responses, to 
constrained force-reduction attacks, then to increas- 
ingly intensive counterforce strikes using nuclear 
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weapons. When these counterforce strikes exceed any 
attempt to spare civilians, then the activity crosses the 
final threshold into Civilian Central War. This is the 
region of nightmarish nuclear exchanges that devolve 
from "city- trading" attacks of resolve, to purposeful 
destruction of the enemy's society, and ultimately to 
the insensate launch of all weapons without regard to 
consequences . 

Movement Along the Ladder. 

Kahn designed his ladder metaphor to examine 
the interrelations between two sets of elements sur- 
rounding a given escalation situation— those specific 
to the region of the present conditions and those re- 
lated to the dynamics of moving on the ladder. He 
envisioned the ladder to model two-sided escalation 
(usually the United States and the Union of Soviet So- 
cialist Republics) that met certain conditions related 
to; commitment of resources; value placed on victory; 
interest in systems bargaining to preserve precedents; 
motivations and strategies for escalation; desire to ap- 
pear to be following accepted norms; and danger and 
avoidance of upper levels of escalation. He divided 
national conduct related to movement on the ladder 
into five categories; contractual {quid pro quo); coercive 
(stick versus carrot); agonistic (prescriptive rules); sty- 
listic (accepted norms), and familial (positive cultural 
aspects). As one might expect, activities in these cate- 
gories would reflect the use of all elements of national 
power (political, economic, information), and thus 
Kahn asserted that "mere military superiority will not 
necessarily assure 'escalation dominance'. 

Admittedly, the paradigm is not perfect. The 
movements reflecting escalation are not necessarily 
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sequential, symmetric, or reversible. Also, the ladder 
is not very useful at illustrating the effects of multiple 
simultaneous moves. Any analysis should also recog- 
nize that an adversary will also have a ladder (implicit 
or explicit) that is likely different in its placement and 
perception of conditions. It also assumes the interac- 
tions involve rational players in a model that often 
fails to fully embrace ambiguity and uncertainty re- 
lated to acceptable alternatives and long-term stabili- 
ty. Regardless, the simplified ladder offers a reason- 
able framework to examine an integrated strategy of 
deterrence. 

Examining Escalation and Deterrence. 

With the foundation of the simplified escalation 
ladder, let us apply it to a broader view of strategic 
warfare that includes conventional global strike and 
cyber offensive forces in addition to nuclear forces to 
provide deterrence across domains. Once this is codi- 
fied, we can then examine the roles of ACD in the para- 
digm. To be clear, this is not an examination of a cyber 
escalation ladder developed by Dunn Cavelty.^^° Nor 
is it akin to analysis by Martin Libicki that downplays 
valuable lessons from the Cold War and considers 
"cyber escalation" largely in isolation.^^^ Rather, this 
analysis addresses a more evolutionary and holistic 
view of modern deterrence and warfare with a scope 
emphasizing various forms of the military instrument 
of power. For the scope of this monograph, examples 
of national policies and doctrines will be drawn from 
those of the United States. 
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Types of Warfare and Factors. 

Conflict in the lower half of the simplified lad- 
der involves the evolving forms of conventional and 
irregular warfare at the theater/ regional level. Mili- 
tary forces are organized, trained, equipped, and em- 
ployed in traditional domains, but they also adopt 
activities in the cyberspace realm as an integral part 
of joint operations. The U.S. concept of globally in- 
tegrated operations provides guidance and details for 
a force that by 2020 can "quickly combine capabilities 
with itself and mission partners across domains, ech- 
elons, geographic boundaries, and organizational af- 
filiations. These would incorporate existing teams 
from USCYBERCOM that "operate and defend the 
networks that support military operations world- 
wide" as well as "support combatant commanders 
as they execute military missions. Conflicts would 
strive to protect national interests and achieve stabil- 
ity in the given region with approaches that adhere 
to internationally acceptable norms. Kinetic attacks 
would emphasize precision of targeting and delivery 
as well as predictable results that are appropriately 
limited in first order and collateral effects. 

In the upper half of the simplified model, conflict 
has escalated to the point where vital national inter- 
ests are threatened, potentially to the degree of exis- 
tential vulnerability. To deter or confront such threats, 
consider a military force structure that adds protected 
conventional strategic strike and offensive cyber capa- 
bilities to traditional nuclear forces delivered by air- 
craft or long-range missiles. This concept developed 
by the U.S. Defense Science Board maintains the need 
for cyber defense of an overarching nuclear capability 
as well as a portion of conventional global strike forc- 
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es that are segmented from similar lower half forces 
to receive enhanced cyber survivability measures. 
Akin to the original Kahn model, attacks will inten- 
sify to counterforce targets and then broaden to civil- 
ian infrastructure toward a worst case of being totally 
indiscriminate. Conflicts at these degrees of escalation 
are likely to operate outside of accepted international 
norms, or perhaps even in ways where no norms exist. 
Weapon delivery precision, effect predictability, and 
collateral damage avoidance become more difficult 
due to the increased intensity of operations as well 
as less important when compared to the increasing 
national stakes. 

The strategic war threshold between the lower and 
upper escalation areas is no longer limited to the use 
of nuclear weapons, and, in fact, it is highly unlikely 
that any limited nuclear exchange would occur. Rath- 
er, this becomes the region where limited offensive cy- 
ber or conventional global strike may begin against vi- 
tal targets found in the upper half. Such strikes could 
have effects beyond the accepted proportionality and 
perfidy of those in the limited conflict, whether by de- 
sign or by accident. Thus, it is crucial for forces to be 
cautious in the use of such weapons to minimize un- 
intended consequences that may cross into the upper 
half of the ladder. 

Dynamics of Conflict. 

In the lower half, Kahn notes there are three main 
ways to escalate a limited conflict: increase its inten- 
sity; widen the area; or compound the escalation by 
attacking other actors. He offers an analogy for this 
area's dynamics as being similar to those of a labor 
strike. In each case, it is assumed that both sides have 
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serious issues to resolve, sometimes through threats 
of harm, but there is no real desire to do permanent or 
excessive damage. As with a labor strike, the conflict 
may require considerable give-and-take bargaining to 
ensure stability between the parties.^^^ 

In contrast, conflict in the upper half of the ladder 
can be likened to a game of "chicken," a contest of 
brinksmanship that creates a winner when the loser 
loses their nerve (such as driving two cars toward 
each other to see who will swerve to avoid a collision). 
Unfortunately, in the worst case, both parties are de- 
stroyed (no one swerves), and in the best case, the 
loser is humiliated, leaving little chance for compro- 
mise or face saving necessary for long-term stability.^^^ 
Thus, a strategy of deterrence should include widely 
understood precedents and thresholds to be reliable 
for stability and controlled escalation that can prevent 
a game of chicken being played with nuclear weapons. 

Roles of Active Cyber Defense. 

As previously noted, the term ACD has no uni- 
versal definition, but it is generally considered to in- 
clude proactive measures that may extend beyond the 
particular network being defended. The roles of ACD 
and their relation to the dynamics of conflict and es- 
calation can be illustrated as the ladder turned on its 
side as in Figure 10. In the lower half of conflict, the 
reality that there will always be minor cyber probing 
and attacks has been accepted and planning guidance 
now addresses resiliency for operating in a degraded 
network environment. For the U.S. military, the ACD 
is a "synchronized, real-time capability to discover, 
detect, analyze, and mitigate threats and vulnerabili- 
ties" which includes proactive operations "at network 
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speed by using sensors, software, and intelligence to 
detect and stop malicious activity before it can affect 
DoD networks and systems."^^^ 
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Figure 10. Relation o£ ACD to the 
Dynamics of Conflict and Escalation. 

Ideally, ACD applications are limited to achieve 
the minimal effects necessary to defend the military 
network. This reflects several forms of national mo- 
tivation; primarily contractual— working toward a 
reasonable cost/ benefit balance — as well as agonis- 
tic-functioning along the lines of evolving rules of 
Internet governance. Motivations may also reflect 
familial norms, such as trying to preserve a free and 
open Internet. Stylistic motivations and actions may 
be a source of friction in limited conflict since they are 
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often tied to national character and culture, which can 
vary greatly for cyberspace issues among the United 
States, Russia, China, North Korea, and others. Moti- 
vations of explicit coercion are not expected unless one 
is willing to accept possible escalatory consequences. 

In military terms, any ACD actions that extend 
beyond blocking network access points would strive 
to be precise, proportional, and limited in scope. The 
focus would be to enhance joint operations of gen- 
eral purpose forces at the tactical and operation lev- 
els— mainly intelligence gathering and defenses that 
operate under decentralized authorities.^^® If kinetic 
attacks reach the level of armed conflict, then support- 
ing cyber operations should also follow the tenets of 
the Law of Armed Conflict (e.g., necessity, distinction, 
proportionality).^'*'’ As such confrontations occur in the 
future, systems bargaining among nations may lead 
to the development of formal and informal rules of 
engagement that add stability and reduce the chance 
for unintentional escalation. Certainly, nonstate actors 
can and do operate in cyberspace asymmetrically and 
outside of international norms, but that is beyond the 
scope of this discussion. 

In the upper half of Figure 10, the goal is to prevent 
conflict from escalating to a game of chicken with nu- 
clear arms. Of course, a strategy of deterrence requires 
the capabilities and resolve to conduct extreme vio- 
lence in order to influence a potential adversary not to 
pursue such a course of action. If such forces are used, 
the concern for precision would focus on effectiveness 
with decreased concern for limiting collateral damage. 
Similarly, the criteria for distinction of purely military 
targets, especially in the cyber realm, may be relaxed 
in order to protect critical deterrent forces. 
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A prudent force structure in this case is to have 
separate ACD capabilities that are optimized to en- 
sure the proper function of the deterrent forces — con- 
ventional strike, cyber offense, and nuclear strike. 
This approach also makes sense from a budget and 
resource perspective since the expense in adding ad- 
ditional protection, survival, and resilience measures 
would be confined to the critical portion of strategic 
ACD. Operations at this level would require "fires" 
authority that "should reside at the highest levels of 
government" with no decentralization.^^^ This is con- 
sistent with traditional nuclear operations concept 
of execution direction being provided by a limited 
number of national command authorities. The na- 
tional motivation leans heavily toward coercion after 
diplomatic efforts become increasingly strained and 
ineffective.^'^^ 

Clearly, the threshold area is a critical transition 
from regionally limited conflict that largely conforms 
to international standards to a much riskier engage- 
ment that can escalate to existential stakes. In this 
area, kinetic activity has reached the levels of armed 
attack or perhaps armed conflict, and belligerent cy- 
ber activity has gone from minor probing and isolat- 
ed intrusions to more complex and pervasive attacks. 
Criteria discussed in the Tallinn Manual can help as- 
sess its international legal implications, but if the 
state-sponsored attacks begin against such targets as 
banks and power grids, the intensity and stakes move 
toward the upper half. While military ACD will still be 
operating at the tactical and operational levels, there 
needs to be additional measures of ACD extending to 
help protect against attacks on civilian and infrastruc- 
ture targets. Chairman of the U.S. Joint Chiefs Gener- 
al Martin Dempsey recently noted about such cyber 
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aggression; "It's not just an inconvenience, if we lost 
critical infrastructure on the east coast for a period of 
time, people's lives would be lost." The ACD required 
to protect cyber targets outside of military networks 
would be broader in scope and require interagency 
consultation, cooperation, and resources.^'^'^ Potential 
ACD actions by citizens and private industry touch 
on many unresolved controversies that merit further 
discussion. 

Table 2 summarizes the types of forces expected at 
each area of the simplified model; ACD is considered 
as a subset of cyber forces. Allied and coalition mili- 
tary forces would also be present at each level and the 
added complexity of their operations merits more de- 
tailed analysis beyond this monograph. Circumstanc- 
es will dictate where activity begins along the escala- 
tion ladder; it need not begin at the lowest point. Any 
ensuing escalation need not be sequential or linear in 
its progression. Kahn offered several criteria to con- 
sider for measuring the degree of escalation possible 
in any particular time which in turn can indicate the 
scope of ACD required. First, one must examine the 
current scale, scope, and intensity of violence of the 
conflict as well as the resolve (or recklessness) demon- 
strated. Next, one should assess if any actual damage 
has been done. What is the apparent closeness to war 
moving to the upper half of the ladder? Evaluating the 
stability of the conflict is important to determine the 
likelihood of eruptions or spikes in attacks that could 
fuel escalation. This would include evaluating what 
provocation has occurred and what precedents have 
been broken as well as what threats has been intended 
or perceived. 
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Table 2. Use of Military Forces in 
Simplified Escalation Ladder Areas. 

Active Cyber Defense and Deterrence. 

Since an expanded deterrent capability with surviv- 
ability enhanced by ACD measures plays an essential 
role in controlling conflict escalation, there is merit in 
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a more detailed review of an implementation concept 
possible for U.S. forces. Figure 11 depicts a concep- 
tual design for ACD interfaces supporting deterrence 
operations in the upper half of the escalation ladder. 
The ACD activities would operate in two modes: an 
automatic mode with triggers based on a priori crite- 
ria established and updated by command authorities 
and a manual mode that requires command author- 
ity direction for execution. Situational awareness is 
maintained through information provided by strate- 
gic intelligence sources as well as tactical and opera- 
tional indications and warnings. Results from ACD 
actions — cyber battle damage assessment — are pro- 
vided as feedback. Decisionmaking by national com- 
mand authorities can be supported by artificial intel- 
ligence systems that can develop and assess courses of 
action, perhaps leveraging advanced "mindreading" 
designs that can rapidly perform modeling, simula- 
tion, and prediction reflecting fifth-order beliefs. 




Figure 11. Details of ACD in Deterrence 
Operations. 
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The ACD system would provide continuous au- 
tomated protection for the deterrence strike forces 
shown as well as the command and control systems of 
the command authorities. The first line of kinetic de- 
terrent forces would be conventional global strike forc- 
es that are always segmented from general purpose 
forces — thus no dual purpose missions are allowed 
for these forces in limited conflict. These would be of 
sufficient quantity for anticipated threats, perhaps as 
few as 20 long-range aircraft plus long-range missiles. 
The ultimate deterrent remains nuclear forces, which 
would continue to be a mix of weapons delivered by 
aircraft and land- and sea-based ballistic missiles in 
numbers that reflect continuing arms reduction.^^^ 

The specific roles of offensive cyber strike forces 
are currently ambiguous and activities may overlap 
between ACD that assertively negates cyber attacks 
against deterrence forces and offensive cyber attacks 
for counterforce operations. The 2011 U.S. Internation- 
al Strategy for Cyberspace includes a declaratory state- 
ment that supports its inherent right to self-defense 
and deterrence: "When warranted, the United States 
will respond to hostile acts in cyberspace as we would 
to any other threat to our country." It goes on to state 
that such response may "use all necessary means — 
diplomatic, informational, military, and economic — as 
appropriate and consistent with international law."^^® 
Healey and Wilson examined cyber offensive actions 
and their approximate physical world equivalent and 
how existing executive and legislative provisions may 
apply to them.^^® A recent study by The Defence Acad- 
emy of the UK cautions that "online weapons may be 
unreliable or uncertain in their effects" and that such 
weapons "coupled with an explicit policy of conven- 
tional military kinetic retaliation risks rapid escalation 
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of real-world war."^^° Other respected theorists such 
as Colin Gray are more conservative in their assess- 
ments, offering that "cyber offense usually is likely to 
achieve some success," but that "the harm we suffer 
is most unlikely to be close to lethally damaging;" 
concluding that "it is clear enough today that the sky 
is not falling because of the cyber peril. Clearly, 
the topic of integrating cyber offensive into strategic 
operations requires further extensive study. 

Deterrence Effectiveness. 

Perhaps some Cold War lessons learned can serve 
as a "litmus test" for an updated deterrence strategy 
incorporating ACD and cyber offence. Richard Kugler 
posits that U.S. nuclear deterrence worked because it 
was credible; it was conducted in the context of po- 
litical dynamics; it denied the Soviet Union any fa- 
vorable prospects from aggression; it favored devel- 
opment of flexible options; and it minimized the risk 
of unwanted escalation.^^^ Incorporating ACD into 
deterrence improves credibility by enhancing deter- 
rence force capabilities and survival. Also, having a 
declaratory statement from the country's executive in 
an official public document demonstrates resolve and 
legality. As Eric Jensen noted, "while this statement 
was controversial when made, there is no doubt of its 
legality. The updated escalation ladder adds per- 
spective on how to view ACD and other cyber sup- 
port of operations not in isolation, but in the context 
of all elements of national power. Admittedly, this 
section has viewed these issues from the perspective 
of the United States, which implicitly includes mutual 
military commitments with allies; further discussion 
should examine this more explicitly. Having a three- 
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pronged deterrence force protected by ACD strives to 
influence an adversary's decisionmaking by not only 
denying benefits, but also by imposing costs and in- 
ducing restraint. Implementing such a cross-domain 
framework "would contribute to more effective deter- 
rence and crisis management."^^^ By design, this cross- 
domain force provides national command authorities 
with flexible options that are beyond nuclear-only in 
case of extreme escalation. In theory, while having 
more options below the nuclear level may reduce the 
chance of reaching the ultimate limit of war, there is 
no guarantee that it would minimize the risk of un- 
wanted escalation below that threshold. 

RECOMMENDATIONS 

This monograph examines the past and present 
of joint and Army cyberspace military operations as 
well as how these operations may fit into the complex 
and dynamic sphere of international deterrence and 
escalation. To facilitate the best evolutionary path for 
future activities it recommends the following actions 
be considered. 

Current Military Cyberspace Priorities. 

The five command priorities set forth by General 
Alexander and carried forward by Admiral Rogers 
seem appropriate for the current evolution of US- 
CYBERCOM and progress on them continues at a 
steady pace. However, some of the successes in opera- 
tionalizing cyberspace are hidden behind question- 
able classification decisions. Specifically, it is difficult 
to comprehend why the inaugural version of JP 3-12 
was issued as a secret document instead of an unclas- 
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sified document with a classified annex. This unneces- 
sary occlusion of basic doctrinal tenets (such as those 
in FM 3-38) greatly hampers both U.S. and allied plan- 
ners and military educators. This is particularly ironic 
when one considers that the former manifestation of 
JP 3-12 was as Doctrine for Joint Nuclear Operations, a 
document that was somehow kept unclassified. As 
cyberspace doctrinal information is incorporated in 
updates of capstone documents (e.g., JPs 3-0 and 5-0 
[Joint Operation Planning]), the developers should con- 
sider adding a concise cyberspace annex that serves 
as a primer for cyberspace domain considerations. 
Military and national cyberspace activities writ large 
would benefit greatly if dedicated cyberspace theory 
development was promulgated that includes explo- 
ration beyond the domain definition of cyberspace. 
All of these recommendations could be supported 
by efforts at the Army's fledgling Cyber Center of 
Excellence. 

Authorities. 

Determining the appropriate authorities involved 
with decisionmaking and cyberspace operations, such 
as ACD actions, through the escalation ladder will con- 
tinue to be a challenging and evolving issue. Military 
forces are developing doctrine and force structures 
to incorporate existing cyber related forces as well as 
newly defined positions. Ideally, these are tested, re- 
fined, and validated in exercise situations before full 
employment. However, as conflict escalates, so does 
the need to coordinate military operations with other 
powers of government as well as with allies and in- 
ternational governance bodies. Potential ACD actions 
by citizens and private industry and their impact on 
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the conflict environment also have responsibility and 
legitimacy issues that cannot be ignored. At the high- 
stakes end of operations, one of the greatest challeng- 
es is determining ways of applying and updating the 
a priori authorities for ACD protecting deterrence forc- 
es. Jensen offers a detailed and nuanced assessment of 
legal issues related to cyber deterrence.^^'" 

Strategic Communication. 

As work progresses toward better definition of cy- 
berspace force roles based on context and dynamics 
of escalation framework, this must include strategic 
communication. These are planned and coordinated 
activities to provide the actions, images, and words 
necessary to help make the modified deterrence effec- 
tive in the ways intended. Manzo notes that; 

cultural differences, contrasting strategic objectives, 
differing strengths and vulnerabilities can cause deci- 
sionmakers in the United States and other countries to 
reach different conclusions about proportionality and 
escalation.i®^ 

Efforts to overcome such differences could lever- 
age studies like Melissa Hathaway's recent develop- 
ment of a Cyber Readiness Index, which examines 
the maturity and commitment for cybersecurity by 
35 countries, including those that had formally estab- 
lished national strategies and competent authorities, 
mostly in nonmilitary areas.^^® Also, the publication 
of an unclassified version of JP 3-12 would contribute 
to the international understanding and commitment 
of U.S. cyberspace forces. All of these activities would 
support strategic engagement — the socio-political 
support for cyberspace operations — as the second di- 
mension of full spectrum operations. 
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Multi-Role Modeling. 

Creating a realistic model for cyberspace force 
roles in escalation and deterrence requires a holistic 
consideration of environmental influences. As Ronald 
Deibert notes, "Securing cyberspace requires rein- 
forcement of restraint on power, including checks and 
balances on governments, law enforcement and intel- 
ligence agencies. The first dimension of full spec- 
trum operations involves the psychological contest of 
wills.^^^ The Kahn ladder was never envisioned for ap- 
plication beyond modeling interactions between two 
nations. To portray our multipolar world more accu- 
rately, models need to not only consider interactions 
between multiple nations, but also that the "policies 
to deter one type of adversary may differ from those 
needed to deter another adversary, with varying de- 
grees of soft and hard rhetoric or of positive incentives 
and punishing responses."^“ The model should also 
include the dynamic of groups of nations, especially 
those in formal alliances such as the North Atlantic 
Treaty Organization (NATO). Finally, the activity of 
individuals and nonstate actors groups — some op- 
erating within accepted international norms, some 
not — can present asymmetric challenges and poten- 
tial threats to the dealings amongst nations and thus 
should be included in the multi-role models. 

Other Paradigms and Factors. 

In addition to considering Cold War models such 
as the Kahn ladder, Sean Lawson also examined other 
metaphors as frameworks for analyzing cyberspace ac- 
tivities related to strategic deterrence. Fie posits there 
are similarities between insurgency or biological war- 
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fare and cyber crime and espionage.^® Paradigms are 
needed to model cyber activity outside of designated 
military networks; these could help better define the 
threshold separating ACD that negates cyber attacks 
against deterrence forces from offensive cyber attacks 
for counterforce operations. Finally, the longer-term 
dynamics of de-escalation and counter-proliferation 
measures, such as potential arms control in cyber- 
space, introduce valuable methods for achieving and 
maintaining a more stable international environment 
in all domains. 

CONCLUDING REMARKS 

Military cyberspace operations have been ongo- 
ing since before the advent of the Internet. Such op- 
erations have evolved significantly over the past 2 
decades and are just now emerging into the realm of 
military operations in the traditional domains of land, 
sea, and air. To facilitate the operationalization of this 
new domain, education of the tenets of cyberspace 
must occur at the tactical, operational, and strategic 
levels of leadership. More importantly, the deliberate 
pursuit of understanding the full scope of cyberspace 
beyond that of a mere domain is essential for provid- 
ing a theoretical foundation for current and future op- 
erations. Also in this regard, the development of such 
fundamental theory should look forward to embrace 
potentially radical manifestations of cyberspace in the 
future as well as looking back at its history. 

The persistent increase of cyberspace activities in 
global events continues to make international dynam- 
ics more complex. The scope of context for such matters 
needs to consider not just other military efforts or even 
other instruments of national power, but how they are 
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presented in an escalation framework and where they 
may be going. A modified Kahn escalation ladder is 
a useful metaphor to explore how cyberspace activi- 
ties may integrate with traditional military operations 
across the spectrum of international conflict as well as 
how such defenses influence national responses relat- 
ed to deterrence and escalation. Expanding deterrence 
forces to include conventional strike and cyber offense 
can add capability and credibility as well as flexibility 
to course-of-action development available for nation- 
al command authorities. Cyberspace operations such 
as automated cyber defense can support and enhance 
deterrence operations and limited conflict as well as 
help control escalation and reduce risk. 
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APPENDIX 



The following diagram is taken from Chapter IV 
of fP 3-12(R), Cyberspace Operations, that was declassi- 
fied and posted for public access on October 21, 2014. 
It depicts typical military cyberspace command and 
control structures for steady-state and contingency 
operations. Note that the organization listed as "USS- 
RATCOM" in the upper left corner of the figure is a 
typographic error for "USSTRATCOM." 



Cyberspace Command and Control Organizational Construct 



Global Steady-State Combat Support 
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Figure A-1. Cyberspace Command and Control 
Organizational Construct. 
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